The ultimate client-side reconnaissance tool for security researchers. Extract hidden API routes, sensitive parameters, and hardcoded secrets instantly from any website.
Built for recon - Fast, lightweight and 100% client-side.
👉 Try JSpider V2.0 now:
https://iamshafayat.github.io/JSpider/
JSpider V2.0 is a massive evolution, transforming from a simple scraper into a proactive reconnaissance suite.
- Sensitive Path Prober: Automated checks for 500+ critical paths including
.env,.git/config,phpinfo.php, backups, and cloud configurations. Features live response length filtering, instantaneous stop controls, and one-click inspection for 200/403 responses. - Parameter Discovery: Dedicated extraction and grouping of URL parameters to identify potential injection points.
- Recursive Discovery Engine: Full website crawling capability (Depth 1) with deep script analysis to find hidden routes.
- Precision Secret Detection: High-fidelity regex for 20+ patterns including AWS, Google Cloud, Stripe, Slack/Discord Webhooks, and JWT.
- High-Fidelity Mapping: Captures raw file paths and absolute URLs without truncation, preserving double slashes and complex structures.
JSpider is a powerful security reconnaissance tool designed for:
- 🔍 Endpoint Discovery: Find hidden routes and API calls.
- 🔑 Secret Detection: Automatically identify API keys, tokens, and sensitive data.
- 🕷️ Recursive Crawling: Deeper discovery by following same-domain links.
- 🧩 Reverse Engineering: Analyze client-side behavior and dynamic URLs.
It extracts data from external JS files, inline scripts, and HTML source code - instantly and completely in your browser.
| Feature | Description |
|---|---|
| 🔑 Secret Detection | High-fidelity detection for 20+ keys including AWS, Google, Stripe, Slack/Discord Webhooks, and JWT. |
| 🕷️ Recursive Scan | Depth-limited (v2.0: Depth 1) crawling of internal links. |
| 📊 Real-time Stats | Live dashboard tracking Scanned URLs, Endpoints, Secrets, and Files. |
| 🛡️ Path Prober | Manual check for 500+ paths with response lengths, live filtering, and stop controls. |
| 🎯 Result Filtering | Instantly sort findings into Endpoints, Secrets, and Files with a global filter. |
| 📄 Advanced Export | Export to .txt, .json, .csv, and professional .md reports. |
| ✅ 100% Client-Side | No backend, no data leakage - privacy-focused by design. |
JSpider automatically excludes architectural noise to focus on valuable recon:
- Static Assets: Blocks
*.png,*.css,*.woff,*.svg, etc. - Social & Analytics: Filters LinkedIn, Facebook, Google Analytics, GTM, etc.
- Known CDNs: Ignores common libraries from jsDelivr, cdnjs, unpkg, etc.
- Invalid Prefixes: Excludes
data:,blob:,mailto:,tel:, etc.
- Visit https://iamshafayat.github.io/JSpider/
- Enter a target URL (e.g.,
https://example.com). - Click Scan Page for a quick analysis or Full Scan for recursive domain discovery.
- Monitor the Dashboard to see live extractions of Endpoints, Parameters, Secrets, and Files.
- Use the Category Tabs to filter results and the Global Search for specific keywords.
- Export your findings in
.txt,.json,.csv, or.mdformats.
- Switch to the Sensitive Path Prober tab from the header menu.
- Enter the target domain (e.g.,
https://example.com). - Click Check Paths to start probing 500+ critical paths (e.g.,
.env,.git,phpinfo.php). - Watch the Progress Bar and live Status Counters (200, 403, 404).
- Use the Status Filters (Found, Forbidden, Missing) to analyze the detected paths live.
- Advanced Filtering: Use the Include/Exclude Lengths inputs to filter out standard WAF block pages by their byte size (e.g., exclude
127, 403). - 🔗 Use the OPEN🔗 buttons to instantly verify 200 and 403 leaks in a new tab.
- Structure: HTML5 & CSS3 (Advanced Glassmorphism UI)
- Logic: Vanilla JavaScript (ES6+ / Async-Await)
- Engine: High-Precision Regex Engine
- Proxy: Cloudflare Workers (Lightweight Proxy for CORS bypass)
This project is licensed under the Apache License 2.0.
Made with ❤️ by Shafayat Ahmed Alif & Kazi Sabbir for Security Researchers.
Feel free to connect or suggest improvements.